9f20529f10
- Remove iCloud duplicate files (test_db 2.py, src/db 2.py) - Fix metrics expression fallback to top-level field in transformer + webapp - Fix sync_data.sh rsync exception pattern for $SSH_HOST variable - Fix deploy_guard cp regex to skip shell variable expansions - Update sudoers-deploy with missing root:data-ops rules - Update CRITICAL_DIRS ownership expectations to match deploy.sh reality 913 tests passing, 0 failures.
172 lines
11 KiB
Text
172 lines
11 KiB
Text
# Sudoers configuration for deploy user (Debian 12)
|
|
# Install with: sudo cp /opt/data-analyst/repo/server/sudoers-deploy /etc/sudoers.d/deploy
|
|
# Validate with: sudo visudo -cf /etc/sudoers.d/deploy
|
|
#
|
|
# Note: On Debian 12, core utils are in /usr/bin/ (not /bin/)
|
|
|
|
# Allow deploy user to manage server scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/bin/* /usr/local/bin/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 755 /usr/local/bin/*
|
|
|
|
# Allow deploy user to manage sudoers files (explicit paths, no wildcards)
|
|
deploy ALL=(ALL) NOPASSWD: /usr/sbin/visudo -cf /opt/data-analyst/repo/server/sudoers-deploy
|
|
deploy ALL=(ALL) NOPASSWD: /usr/sbin/visudo -cf /opt/data-analyst/repo/server/sudoers-webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/sudoers-deploy /etc/sudoers.d/deploy
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/sudoers-webapp /etc/sudoers.d/webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 440 /etc/sudoers.d/deploy
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 440 /etc/sudoers.d/webapp
|
|
|
|
# Allow deploy user to manage application directory permissions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /opt/data-analyst
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /opt/data-analyst/repo/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 770 /opt/data-analyst
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R g+s /opt/data-analyst
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 640 /opt/data-analyst/repo/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/tee /opt/data-analyst/repo/.env
|
|
|
|
# Allow deploy user to manage webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/webapp.service /etc/systemd/system/webapp.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl status webapp
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active webapp
|
|
|
|
# Allow deploy user to manage nginx
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl reload nginx
|
|
|
|
# Allow deploy user to write webapp env file
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/tee /opt/data-analyst/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /opt/data-analyst/.env
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 640 /opt/data-analyst/.env
|
|
|
|
# Allow deploy user to manage scripts in /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/scripts/* /data/scripts/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 755 /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R deploy\:data-ops /data/scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /data/scripts
|
|
|
|
# Allow deploy user to manage documentation in /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/docs/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/docs/* /data/docs/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp -r /opt/data-analyst/repo/docs/* /data/docs/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 775 /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R deploy\:data-ops /data/docs
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /data/docs
|
|
|
|
# Allow deploy user to manage notifications directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown deploy\:data-ops /data/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /data/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/notifications
|
|
|
|
# Allow deploy user to manage notify-bot service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/services/telegram_bot/systemd/notify-bot.service /etc/systemd/system/notify-bot.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl daemon-reload
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable notify-bot
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active notify-bot
|
|
|
|
# Allow deploy (notify-bot) to list/run notification scripts as dataread group members only
|
|
# Used by /status "Run" button in Telegram via notify-scripts helper
|
|
deploy ALL=(%dataread) NOPASSWD: /usr/local/bin/notify-scripts
|
|
|
|
# Allow deploy user to manage ws-gateway service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/services/ws_gateway/systemd/ws-gateway.service /etc/systemd/system/ws-gateway.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable ws-gateway
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-active ws-gateway
|
|
|
|
# Allow deploy user to manage limits configuration
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/server/limits-users.conf /etc/security/limits.d/99-users.conf
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 644 /etc/security/limits.d/99-users.conf
|
|
|
|
# Allow deploy user to manage example notification scripts
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/examples
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/examples/notifications
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/examples/notifications/* /data/examples/notifications/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 755 /data/examples
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R deploy\:data-ops /data/examples
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /data/examples
|
|
|
|
# Allow deploy user to manage Jira data directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/src_data/raw/jira/*
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown -R root\:data-ops /data/src_data/raw/jira
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod -R 2770 /data/src_data/raw/jira
|
|
|
|
# Allow deploy user to manage password auth directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/auth
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown www-data\:data-ops /data/auth
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/auth
|
|
|
|
# Allow deploy user to manage corporate memory directory and service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown deploy\:data-ops /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/corporate-memory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/services/corporate_memory/systemd/corporate-memory.service /etc/systemd/system/corporate-memory.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/services/corporate_memory/systemd/corporate-memory.timer /etc/systemd/system/corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop corporate-memory.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled corporate-memory.timer
|
|
|
|
# Allow deploy user to manage jira-sla-poll service and timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/connectors/jira/systemd/jira-sla-poll.service /etc/systemd/system/jira-sla-poll.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/connectors/jira/systemd/jira-sla-poll.timer /etc/systemd/system/jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop jira-sla-poll.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled jira-sla-poll.timer
|
|
|
|
# Allow deploy user to manage session-collector service and timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /data/user_sessions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /data/user_sessions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /data/user_sessions
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/services/session_collector/systemd/session-collector.service /etc/systemd/system/session-collector.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/services/session_collector/systemd/session-collector.timer /etc/systemd/system/session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop session-collector.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled session-collector.timer
|
|
|
|
# Allow deploy user to manage jira-consistency service and timers
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/connectors/jira/systemd/jira-consistency.service /etc/systemd/system/jira-consistency.service
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/connectors/jira/systemd/jira-consistency.timer /etc/systemd/system/jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/cp /opt/data-analyst/repo/connectors/jira/systemd/jira-consistency-deep.timer /etc/systemd/system/jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/touch /opt/data-analyst/logs/jira-consistency.log
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /opt/data-analyst/logs/jira-consistency.log
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 664 /opt/data-analyst/logs/jira-consistency.log
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled jira-consistency.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl start jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop jira-consistency-deep.timer
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl is-enabled jira-consistency-deep.timer
|
|
|
|
# Allow deploy user to manage data staging directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/mkdir -p /tmp/data_analyst_staging
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chown root\:data-ops /tmp/data_analyst_staging
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/chmod 2770 /tmp/data_analyst_staging
|
|
|
|
# Allow deploy user to manage ACLs for Jira attachments
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -m g\:dataread\:rx /data/src_data/raw/jira/attachments
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -d -m g\:dataread\:rx /data/src_data/raw/jira/attachments
|
|
|
|
# Allow deploy user to manage ACLs for private parquet directory
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -m g\:data-private\:rx /data/src_data/parquet/private/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -d -m g\:data-private\:rx /data/src_data/parquet/private/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -x g\:dataread /data/src_data/parquet/private/
|
|
deploy ALL=(ALL) NOPASSWD: /usr/bin/setfacl -R -d -x g\:dataread /data/src_data/parquet/private/
|
|
|
|
# Allow deploy user to add itself to dataread group (for socket group ownership)
|
|
deploy ALL=(ALL) NOPASSWD: /usr/sbin/usermod -a -G dataread deploy
|